4

Since GET parameters are passed in the url, how can they be secure from someone with access to network logs. He would be able to see what urls are accessed, even if he cannot see the request and response.

I ask because an api requires me to pass user data over https(their user's data ofc). The username and password are passed as http AUTH: user:pass@site.com/api/messages

SoWhat
  • 169
  • 1
  • 1
  • 6

1 Answers1

11

HTTPS uses Transport Layer Security (TLS). The Transport layer is layer 4, so everything above this layer is encrypted, which means all of HTTP is encrypted.

By default on most HTTP servers, all GET parameters are logged to the access log. The plaintext logging of authentication tokens is a vulnerability. The Authentication HTTP header is not logged by default.

rook
  • 46,916
  • 10
  • 92
  • 181
  • This [answer claims that the receiving server can store the urls in the log](http://stackoverflow.com/questions/499591/are-https-urls-encrypted/4078443#4078443). It is unclear to me if they are stored encrypted or in cleartext. But even if they were encrypted this would still offer another vector of attack. Could you clarify or expand your answer? You may take a [look at my question](http://stackoverflow.com/questions/26671599/) which is my attempt to get a canonical answer on this topic. – surfmuggle Nov 03 '14 at 10:06
  • 1
    @threeFourOneSixOneThree OP never stated the webserver used, updated for the general case. – rook Nov 03 '14 at 15:27